Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 17 replies
  • Subscribers 0 subscribers
  • Views 4204 views
  • Users 0 members are here
Options
Suggested

[7.920][BUG][FIXED] IPS kills Site-to-site SSL and HTTP/S proxy

Lionking
Reinstalled 7.920 from ISO and still have problems. If I reboot with IPS enabled, HTTP/S proxy blocks everything and SSL-tunnel is down. Disable/enable of IPS solves the problem.
  • 0
    Is there evidence why the packets are blocked in the packetfilter.log? Can you please post some lines from that log?
  • 0 in reply to kbr
    Found a lot of these entries, 15.164.2.1 is my ASG lan-interface
    Have tried to clear the cache also.

    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="216.146.36.36" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="33318" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="216.146.36.36" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="33138" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="195.67.199.9" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="17637" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="195.67.199.9" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="51707" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="199.7.83.42" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="52410" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="199.7.83.42" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="9159" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="202.12.27.33" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="62056" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="0:c:29:f:c1:c2" dstmac="0:30:18:ae:f:f7" srcip="15.164.2.223" dstip="208.78.69.75" proto="17" length="70" tos="0x00" prec="0x00" ttl="63" srcport="50517" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="0:c:29:f:c1:c2" dstmac="0:30:18:ae:f:f7" srcip="15.164.2.223" dstip="208.78.69.75" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="64275" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="202.12.27.33" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="64276" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="198.41.0.4" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="4482" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="198.41.0.4" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="39554" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.228.79.201" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="2057" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.228.79.201" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="39811" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.203.230.10" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="43957" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.203.230.10" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="36643" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.112.36.4" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="37159" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.112.36.4" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="28023" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="128.63.2.53" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="3680" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="128.63.2.53" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="25978" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.36.148.17" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="14864" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.36.148.17" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="49131" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="193.0.14.129" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="28000" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="193.0.14.129" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="63688" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.33.4.12" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="64768" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="192.33.4.12" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="31136" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="128.8.10.90" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="14590" dstport="53" 
    2010:06:09-21:43:33 vretstorp ulogd[4023]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="0:30:18:ae:4f:3f" srcip="15.164.2.1" dstip="128.8.10.90" proto="17" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38302" dstport="53"
  • 0
    Okay, that looks like DNS packets are dropped. Can you please disable those IPS rules that have to do with DNS and try again?

    We also know of a defect that has to do with the time it takes to do a complete snort reload, so it's generally a good idea to use as few IPS rules as possible (ie. only those rules that you really need). Less rules -> faster reload -> less likely to get bitten.
  • 0 in reply to kbr
    Disabled all DNS-rules in IPS, no change.
  • 0
    Let's do one other try: can you please disable all IPS rules, leaving only the "DoS/DDoS communication" in Malware section enabled? You need to restart IPS and wait moment (take a look at the ips live log) before trying SSL-VPN again.

    Oh, and please, can you post the ips logfile from this try?
  • 0 in reply to kbr
    Disabled rules acording to your instructions and restarted IPS, no problem with HTTP-proxy, Then I rebooted and HTTP-proxy still works! Cannot test Site-yo-site SSL, because my gateway is down.
    ips2.log.zip
  • 0 in reply to kbr
    Let's do one other try: can you please disable all IPS rules, leaving only the "DoS/DDoS communication" in Malware section enabled? You need to restart IPS and wait moment (take a look at the ips live log) before trying SSL-VPN again.

    Oh, and please, can you post the ips logfile from this try?


    I tried this and with IPS enabled, HTTP Proxy is still working...
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?